How to get certificates signed by a third-party

This topic describes one way you can use the version of OpenSSL that ships with Splunk Enterprise to obtain third-party certificates that you can use to secure your forwarder-to-indexer and inter-Splunk communication.

Note: If you plan to use multiple common names in your configurations, you can repeat the steps described here to create a different server certificate using the same root CA for each instance with it's own common name and then configure your Splunk instances to use them. See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.

Before you begin

In this discussion, $SPLUNK_HOME refers to the Splunk Enterprise installation directory. We recommend that you follow this convention, but if you do not, you should replace $SPLUNK_HOME with your installation directory when using these examples.

For Windows, you might need to set this variable at the command line or in the Environment tab in the System Properties dialog.

Default home directories depend on your platform:

For Windows, the Splunk Enterprise directory is at C:\Program Files\Splunk by default.

For most *nix platforms, the default installation directory is at /opt/splunk.

For Mac OS, it is /Applications/splunk.

See the Administration Guide to learn more about working with Windows and *nix.

Create a new directory for your certificates

Create a new directory for your new certificates. In our example, we are using $SPLUNK_HOME/etc/auth/mycerts:

When you make a new folder you protect the existing certificates and keys in $SPLUNK_HOME/etc/auth. Working in a new directory protects the default certificates and lets you use them for other Splunk Software components as necessary.

Request your server certificate

Important: This example shows you how to create a new private key and request a server certificate. You can distribute this server certificate to all forwarders, indexers as well your Splunk instances that communicate on the management port. If you want to use a different common names for each instance, you simply repeat the process described here to create different certificates (each with a different common name) for your Splunk instances.

For example, when configuring multiple forwarders, you can use the following example to create the certificate myServerCertificate.pem for your indexer, then create another certificate myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. An indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.

2. When prompted, provide the password you created for your private key myServerPrivateKey.key.

3. Provide the requested information for your certificate. To use common-name checking, make sure to provide a Common Name when entering your certificate details.

When you are done, a new CSR myServerCertificate.csr appears in your directory.

Download and verify the server certificate and public key

1. Send your CSR to your Certificate Authority (CA) to request a new server certificate. The request process varies based on the Certificate Authority you use.

2. Download the new server certificate from your Certificate Authority. For the examples in this manual, let's call this myServerCertificate.pem.

3. Also download your Certificate Authority's public CA certificate. For the examples in this manual, let's call this myCACertificate.pem.

If your Certificate Authority does not provide you with certificates in PEM format, you must convert them using the OpenSSL command appropriate to your existing file type, consult your OpenSSL documentation for more information about converting different file types.

4. View the contents to make sure it has everything you need:

The "Issuer" entry should refer to your CA's information.

The "Subject" entry should show the information (country name, organization name, Common Name, etc) that you entered when creating the CSR earlier.

Note: For *nix, you can view the contents your certificate using the following command:

Next steps

You should now have the following files in the directory you created, which is everything you need to configure indexers, forwarders, and Splunk instances that communicate over the management port:

myServerCertificate.pem

myServerPrivateKey.key

myCACertificate.pem

Now that you have the certificates you need, you must prepare your server certificate (including appending any intermediate certificates), and then configure Splunk software to find and use your certificates:

It would be helpful if there was an instruction in this document on how to view the contents of a pem-encoded certificate that has been received from the third-party in Windows and Linux.

For instance, under section entitled "Download and verify the server certificate and public key", at the end of point 4., there should be instruction for verifying the server certificate in Linux such as:
"To view the contents of the PEM-encoded certificate in Linux via openssl, use the following command which will print the cert contents in plain-text.
openssl x509 -in myServerCertificate.pem -text"

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »